7-Zip: Multiple Memory Corruptions via RAR and ZIP

I have discussed this issue with Igor Pavlov and tried to convince him to enable all three flags. However, he refused to enable /DYNAMICBASE because he prefers to ship the binaries without relocation table to achieve a minimal binary size. Moreover, he doesn’t want to enable /GS, because it could affect the runtime as well as the binary size. At least he will try to enable /NXCOMPAT for the next release. Apparently, it is currently not enabled because 7-Zip is linked with an obsolete linker that doesn’t support the flag.

Recompiling by trusted people sounds like a perfect job for maintainers (think Debian and other distributions), especially if there are reproducible builds (which Debian also enabled for most (all?) packages now).

While mandatory ASLR is a nice feature (and will be supported by Windows 10 even without EMET), it will not work for binaries with stripped relocation table. Igor seems to do exactly this to reduce the size of the binary.

Also, EMET cannot give you stack canaries if the binary is not compiled with /GS.

It can, however, apply policies that make it incredibly difficult to exploit things even when ASLR and GS aren't applied. For example dynamic code policy implements W^X on memory, making it nigh impossible to execute data even after ROP to VirtualProtect.

The relocation table is actually pretty small. I just tried to compile 7-Zip with VS2017 and /DYNAMICBASE. The main binary 7z.dll is 1,569,792 bytes in total, 9344 bytes (0.595%) of which are used by the relocation table. Enabling stack canaries (/GS) gives me a 1,578,496 byte binary (including the relocation table), so another 8704 bytes more.

he refused to enable /DYNAMICBASE [...] he doesn’t want to enable /GS [...] At least he will try to enable /NXCOMPAT for the next release

So are all 3 flags (/DYNAMICBASE, /GS, /NXCOMPAT) enabled in the new 7-zip v18.01 stable (29 Jan 2018) ? If only /NXCOMPAT is enabled (?), the RAR PPMd security vulnerability is only partially fixed, right ?

The changelog doesn't indicate anything about security fixes, unless these are subsumed into the non-transparent "Some bugs were fixed".

Ubuntu and Debian support have an additional package 'p7zip-rar' or 'p7zip-full' for RAR support. These packages are most likely affected, because the p7zip code is almost identical to 7-Zip. Unfortunately, p7zip is not updated that regularly.